The attack began on 18 October, denying access to several HSBC sites and the First Direct online bank.
HSBC’s statement simply confirmed that the attack was just limiting access and that no customer data was affected, it read: “This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking. We are taking appropriate action, working hard to restore service.
“We are pleased to say that some sites are now back up and running. We are cooperating with the relevant authorities and will co-operate with other organisations that have been similarly affected by such criminal acts.”
Although DDoS attacks are nothing new to the cyber world and are becoming increasing frequent and powerful, it still came as somewhat of a surprise to see such a huge, global banking firm be taken down by a seemingly simple attack.
We asked one of the security experts from online security specialists Secarma what they thought of the whole thing: “We’ve been monitoring the DDoS attacks on HSBC which claim to be from an Anonymous group (@fawkessecurity)who have also committed to target other British banks in the near future,” said their security bod.
“A bank the size of HSBC will obviously have some sort of mitigation in place, however an evolving type of DDoS is complex multi-vector which whilst targeting the network also attacks the application layer. It’s not uncommon for a DDoS flood to be in the range of 60-100Gbps especially from a large botnet.
“Organisations must evolve their security practices as fast as their opponents. Keeping ahead of this technology is key to protecting clients and brand reputation.”
HSBC is the latest in a line of financial websites to suffer this kind of attack, with other targets including Capital One, Bank of America and Wells Fargo.